How do I get CSV lookup table parameter working in an event definition?

Graylog Central (peer support)
1

1. Describe your incident:

I have followed the instructions in https://graylog.org/post/risk-based-alerts/ and gotten a working event. I am trying to do something similar using the CSV file data adapter. I am not sure whether my understanding of key-values is off but I have been mostly unsuccessful (I got something working but lost the settings I used).

Also, sometimes when I try to edit the event definition on the Filter & Aggregation page, I get directed to an error page with this message:

Cannot convert undefined or null to object

Stack Trace:

TypeError: Cannot convert undefined or null to object
at Object.values ()
at http://x.x.x.x:9000/assets/app.0c1b977fb37d5c5fefe7.js:5951:6499
at Array.map ()
at et (http://x.x.x.x:9000/assets/app.0c1b977fb37d5c5fefe7.js:5951:6363)
at Za (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:372:20600)
at Ji (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:374:45830)
at $i (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:374:41338)
at Dc (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:374:41266)
at ga (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:374:41117)
at A_ (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:374:37328)

Component Stack:
TypeError: Cannot convert undefined or null to object
at Object.values ()
at http://x.x.x.x:9000/assets/app.0c1b977fb37d5c5fefe7.js:5951:6499
at Array.map ()
at et (http://x.x.x.x:9000/assets/app.0c1b977fb37d5c5fefe7.js:5951:6363)
at Za (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:372:20600)
at Ji (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:374:45830)
at $i (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:374:41338)
at Dc (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:374:41266)
at ga (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:374:41117)
at A_ (http://x.x.x.x:9000/assets/vendor.c9166e2ce51869fc4e43.js:374:37328)

I am attempting to trigger an event creation whenever a user in a list of names attempts a logon.

Search query: gim_event_type:logon AND user_name:$userName$

2. Describe your environment:

  • OS Information: Ubuntu 24.04.3 LTS

  • Package Version:
    * Graylog 7.0.2-1
    * MongoDB 8.0.17

3. What steps have you already taken to try and solve the problem?

  • changed the ownership of the CSV file(s) to graylog:graylog

  • different configuration settings with the CSV file

    • first CSV file with column titles: userName and baseCountry

    "userName","baseCountry"
    "jane","SG"
    "claude","RU"

    • second CSV file with column titles: index, userName and baseCountry

    "index","userName","baseCountry"
    "1","jane","SG"
    "2","claude","RU"

  • different settings within the event definition

    • setting the lookup table key as userName / index / jane / 1
    • changing the name of the parameter from $userName$ to something else in case the parameter name clashes with the CSV file column name

4. How can the community help?

Maybe a working example of a parameter used within a event definition, from a CSV file lookup table? Thank you and Happy 2026!

2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.